Apache warns of critical flaws in MINA, HugeGraph, Traffic Control

The Apache Software Foundation has released security updates to address three severe problems that affect MINA, HugeGraph-Server, and Traffic Control products.

The vulnerabilities were patched in new software versions released between December 23 and 25. However, the holiday period may lead to a slower patching rate and increased risk of exploitation.

One of the bugs is tracked as CVE-2024-52046 and impacts MINA versions 2.0 through 2.0.26, 2.1 through 2.1.9, and 2.2 through 2.2.3. The issue received a critical severity score of 10 out of 10 from the Apache Software Foundation

Apache MINA is a network application framework that provides an abstraction layer for developing high-performance and scalable network applications.

The latest problem lies in ‘ObjectSerializationDecoder’ caused by unsafe Java deserialization, potentially leading to remote code execution (RCE).

The Apache team clarified that the vulnerability is exploitable if the ‘IoBuffer#getObject()’ method is used in combination with certain classes.

Apache addressed the issue with the release of versions 2.0.27, 2.1.10, and 2.2.4, which enhanced the vulnerable component with stricter security defaults.

However, upgrading to those versions isn’t enough. Users also need to manually set the rejection of all classes unless explicitly allowed by following one of the three methods provided.

The vulnerability impacting Apache HugeGraph-Server versions 1.0 through 1.3, is an authentication bypass problem tracked as CVE-2024-43441. It is caused by improper validation of authentication logic.

Apache HugeGraph-Server is a graph database server that enables efficient storage, querying, and analysis of graph-based data.

The authentication bypass problem was addressed in version 1.5.0, which is the recommended upgrade target for HugeGraph-Server users.

The third flaw is identified as CVE-2024-45387 and the Apache Software Foundation rated it with a 9.9 critical severity score. It is an SQL injection problem impacting Traffic Ops versions 8.0.0 to 8.0.1.

Apache Traffic Control is a Content Delivery Network (CDN) management and optimization tool.

The latest problem on the product is caused by the insufficient input sanitization of SQL queries, allowing arbitrary SQL command execution using specially crafted PUT requests.

The problem was fixed in Apache Traffic Control version 8.0.2, released earlier this week. The Apache team noted that versions 7.0.0 to up to 8.0.0 are not impacted.

System administrators are strongly recommended to upgrade to the latest product version as soon as possible, especially as hackers often choose to strike during this time of the year when companies have fewer employees on duty and response times are longer.